WO2019174523A1 - Système et appareil de transmission de demande d'interface de programmation d'application (api) - Google Patents

Système et appareil de transmission de demande d'interface de programmation d'application (api) Download PDF

Info

Publication number
WO2019174523A1
WO2019174523A1 PCT/CN2019/077392 CN2019077392W WO2019174523A1 WO 2019174523 A1 WO2019174523 A1 WO 2019174523A1 CN 2019077392 W CN2019077392 W CN 2019077392W WO 2019174523 A1 WO2019174523 A1 WO 2019174523A1
Authority
WO
WIPO (PCT)
Prior art keywords
api
request
forwarding label
gateway
parameter
Prior art date
Application number
PCT/CN2019/077392
Other languages
English (en)
Chinese (zh)
Inventor
陆昕
陈劲
惠毓赓
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP19767599.4A priority Critical patent/EP3726786B1/fr
Priority to JP2020536559A priority patent/JP7056893B2/ja
Publication of WO2019174523A1 publication Critical patent/WO2019174523A1/fr
Priority to US16/933,195 priority patent/US11956210B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a method and apparatus for transmitting an application programming interface API request.
  • the micro-service architecture has gradually become the mainstream application architecture due to its advantages of easy maintenance and fast iteration.
  • developers can split an application into multiple, stand-alone servers, dividing the server into multiple security domains based on the security level of each server.
  • An application programming interface (API) gateway is set in each security domain, and an API request sent by the client is received, and the API request is forwarded to the corresponding server.
  • API application programming interface
  • an API request sent by a client carries a request address.
  • the API gateway receives the API request, the API request is parsed to obtain the request address, and then the pre-stored correspondence table between the request address and the service address is queried according to the request address to obtain a target service address, if the target service is obtained. If the address is the service address of the security domain to which the API gateway belongs, the API request is forwarded to the corresponding server; if the target service address is the address of the API gateway of the other security domain (that is, the API request needs to span multiple security domains), then The API request is sent to the next hop API gateway, and the next hop API gateway performs the above processing until forwarding to the corresponding server.
  • Embodiments of the present invention provide a method for transmitting an API of an application programming interface, which can improve API request efficiency.
  • the technical solution is as follows:
  • a method of transmitting an application programming interface API request comprising:
  • the first API gateway receives the first API request; the first API gateway acquires a first forwarding label corresponding to the first API request, and the first forwarding label includes a first target security domain identifier; wherein, the first The security domain identifier of the API gateway is different from the first target security domain identifier; the first API gateway determines the second API gateway according to the correspondence between the first target security domain identifier and the address of the second API gateway. And sending the first API request to the second API gateway according to the address of the second API gateway; wherein the second API gateway is the first API gateway to the first The API gateway corresponding to the target security domain identifier sends the next hop API gateway of the first API request.
  • the first API gateway receives the first API request, and determines, according to the mapping table of the first forwarding label, the first forwarding label corresponding to the first API request, where the first forwarding label includes the first Target security domain ID. Then, the first API gateway determines the address of the second API gateway according to the correspondence between the first target security domain identifier and the address of the second API gateway, and sends the first API request to the second API gateway, and the subsequent second API gateway may directly According to the processing of the first forwarding label, since the number of security domain identifiers is far less than the number of request addresses, the number of queries of the correspondence table between the request addresses and the service addresses is reduced, thereby improving the efficiency of the API request.
  • the acquiring, by the first API, the first forwarding label corresponding to the first API request includes:
  • the acquiring, by the first API, the first forwarding label corresponding to the first API request includes:
  • the first parameter includes an API calling mode and/or a protocol version number; and according to the request path, the first parameter, and a preset eigenvalue algorithm Determining a feature value corresponding to the first API request; determining the first forwarding tag according to the feature value and a mapping table of the first forwarding tag.
  • the acquiring, by the first API, the first forwarding label corresponding to the first API request includes:
  • the method further includes:
  • the first API gateway receives, by the first API gateway, a second API request, where the second API request carries a second forwarding label, where the second forwarding label includes a security domain identifier of the first API gateway and a first target service address
  • the first API gateway deletes a second forwarding label in the second API request; the first API gateway sends a second API request after deleting the second forwarding label to the first target service address Corresponding server.
  • the method further includes:
  • the first API gateway receives a third API request, and the first API gateway acquires a third forwarding label corresponding to the third API request, where the third forwarding label includes a security domain identifier of the first API gateway. a second target service address; the first API gateway sends the third API request to a server corresponding to the second target service address.
  • an apparatus for transmitting an application programming interface API request is provided, the apparatus being applied to a first API gateway, the apparatus comprising:
  • a first receiving module configured to receive a first API request, where the first forwarding module is configured to acquire a first forwarding label corresponding to the first API request, where the first forwarding label includes a first target security domain identifier, where The security domain identifier of the first API gateway is different from the first target security domain identifier; the first sending module is configured to determine, according to the correspondence between the first target security domain identifier and the address of the second API gateway, Addressing the address of the second API gateway, and sending the first API request to the second API gateway according to the address of the second API gateway; wherein the second API gateway is the first API gateway Sending the next hop API gateway of the first API request to the API gateway corresponding to the first target security domain identifier.
  • the first acquiring module specifically includes:
  • the first acquiring module specifically includes:
  • the first parameter includes an API calling mode and/or a protocol version number; and according to the request path, the first parameter, and a preset eigenvalue algorithm Determining a feature value corresponding to the first API request; determining the first forwarding tag according to the feature value and a mapping table of the first forwarding tag.
  • the first acquiring module specifically includes:
  • the device further includes:
  • a second receiving module configured to receive a second API request, where the second API request carries a second forwarding label, where the second forwarding label includes a security domain identifier of the first API gateway and a first target service
  • An address deletion module configured to delete a second forwarding label in the second API request
  • a second sending module configured to send a second API request after deleting the second forwarding label to the first target service The server corresponding to the address.
  • the device further includes:
  • a third receiving module configured to receive a third API request
  • a second obtaining module configured to acquire a third forwarding label corresponding to the third API request, where the third forwarding label includes a security domain of the first API gateway
  • the identifier and the second target service address are used by the third sending module, configured to send the third API request to the server corresponding to the second target service address.
  • an application programming interface API gateway including a memory, a processor, and a communication interface, wherein:
  • the memory is configured to store a program instruction
  • the processor is configured to: receive, according to the program instruction stored in the memory, a first API request by using the communication interface; and acquire a corresponding a first forwarding label, where the first forwarding label includes a first target security domain identifier; wherein the security domain identifier of the first API gateway is different from the first target security domain identifier; according to the first target security domain Corresponding relationship between the identifier and the address of the second API gateway, determining an address of the second API gateway, and sending the first API request to the first through the communication interface according to the address of the second API gateway And the second API gateway, wherein the second API gateway sends the first hop API gateway of the first API request to the first API gateway corresponding to the first target security domain identifier.
  • the performing, by the processor, the operation of acquiring the first forwarding label corresponding to the first API request includes:
  • the performing, by the processor, the operation of acquiring the first forwarding label corresponding to the first API request includes:
  • the first parameter includes an API calling mode and/or a protocol version number; and according to the request path, the first parameter, and a preset eigenvalue algorithm Determining a feature value corresponding to the first API request; determining the first forwarding tag according to the feature value and a mapping table of the first forwarding tag.
  • the performing, by the processor, the operation of acquiring the first forwarding label corresponding to the first API request includes:
  • the processor is further configured to perform the following operations according to the program instructions stored in the memory:
  • the processor is further configured to perform the following operations according to the program instructions stored in the memory:
  • the communication interface receives a third API request by the communication interface, and acquiring a third forwarding label corresponding to the third API request, where the third forwarding label includes a security domain identifier of the first API gateway and a second target service address;
  • the communication interface sends the third API request to a server corresponding to the second target service address.
  • a computer readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of the first aspect.
  • the first API gateway receives the first API request, and may perform the first API request forwarding according to the first target security domain identifier in the first forwarding label. Since the number of security domain identifiers is far less than the number of request addresses, the number of queries of the correspondence table between the request address and the service address is reduced, thereby improving the efficiency of the API request.
  • FIG. 1 is a schematic diagram of a network system according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for transmitting an API request according to an embodiment of the present invention
  • FIG. 3 is a flowchart of an example of transmitting an API request according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of an apparatus for transmitting an API request according to an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of an apparatus for transmitting an API request according to an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of an apparatus for transmitting an API request according to an embodiment of the present disclosure
  • FIG. 7 is a schematic structural diagram of an API gateway according to an embodiment of the present invention.
  • An embodiment of the present invention provides a method for transmitting an API request, and the method may be applied to a scenario in which an API request is transmitted across a security domain.
  • FIG. 1 an example of a network system provided in an embodiment of the present invention is provided in the network.
  • the system includes three security domains, namely, security domain A, security domain B, and security domain C.
  • security domain A is provided with API gateway A
  • security domain B is provided with API gateway B
  • security domain C is set with API Gateway C
  • multiple servers can be set up in each security domain.
  • the client accessed in the security domain A can send an API request to the API gateway A, and the API gateway A sends the API request to the API gateway C through the API gateway B, and the API gateway After receiving the API request, C forwards the API request to the server 1 for processing.
  • the security domain may refer to a security level, and different services have different security levels, and different services are located in the corresponding security domain.
  • the embodiment of the invention provides a method for transmitting an API request, which can improve the efficiency of the API request, and the specific processing flow is as follows:
  • Step 201 The first API gateway receives the first API request.
  • the first API gateway may receive the first API request, where the first API request may be an API request sent by the client, or may be an API request forwarded by another API gateway.
  • the first API request can be sent to the first API gateway of the security domain to which the client belongs.
  • the API gateway may use the pre-stored policy.
  • the first API request is forwarded to the first API gateway.
  • the first API request may carry a request path, and may also carry one or more of an API call mode, a protocol version number, a request header, and an additional parameter request.
  • the server corresponding to the first API request is not in the security domain to which the first API gateway belongs, and the server corresponding to the first API request is not set in the security domain to which the first API gateway belongs, or the first API request The corresponding server is not in the security domain to which the first API gateway belongs.
  • Step 202 The first API gateway acquires a first forwarding label corresponding to the first API request.
  • the first forwarding label may include the first target security domain identifier; the security domain identifier of the first API gateway is different from the first target security domain identifier.
  • the target security domain identifier may be an identifier of the security domain to which the target server that the client needs to access belongs.
  • the first API gateway parses the first API request, and then determines whether the first forwarding label carries the first forwarding label, and then obtains the first according to the determination result.
  • the first forwarding label corresponding to the API request There are two specific situations:
  • the first forwarding label carried in the first API request is obtained.
  • the first API gateway when the first API gateway receives the first API request forwarded by the other API gateway, the first API request carries the first forwarding label added by another API gateway.
  • the first API gateway may parse the first API request to obtain a first forwarding label carried in the first API request.
  • the first forwarding label corresponding to the first API request is determined according to the mapping table of the first API request and the pre-stored first forwarding label.
  • the mapping table of the first forwarding label is pre-stored in the first API gateway, and the mapping table of the first forwarding label may be set by the administrator according to the actual service.
  • the first API gateway receives the first API request sent by the client, the first API request does not carry the first forwarding label, and the first API gateway may be configured according to the first API and the first stored in advance. Forwarding a mapping table of the label, and determining a first forwarding label corresponding to the first API request.
  • the manner of determining the first forwarding label corresponding to the first API request may be various. This embodiment provides several feasible processing manners.
  • the first API gateway may determine the first forwarding label corresponding to the first API request according to the request path, and the specific processing procedure is as follows:
  • Step 1 Obtain a request path carried by the first API request.
  • the first API gateway may parse the first API request to obtain a request path carried in the first API request.
  • the request path is a path part in a Uniform Resource Locator (URL) carried in the first API request. For example, if the URL in the HyperText Transfer Protocol (HTTP) is http://192.168.1.1/test, the request path is /test.
  • URL Uniform Resource Locator
  • Step 2 Determine the first forwarding label according to the mapping path of the request path and the first forwarding label.
  • the mapping table of the first forwarding label includes a correspondence between the request path and the first forwarding label.
  • the mapping table of the first forwarding label may be pre-stored in the first API gateway, and the mapping table of the first forwarding label may be set by the administrator according to the actual service.
  • the mapping table of the first forwarding label includes a correspondence between the request path and the first forwarding label. As shown in Table 1, an example of a mapping table of the first forwarding label, where the request path is /test, and the first target security domain identifier in the corresponding first forwarding label is A.
  • the first API gateway may query the entry of the first forwarding label in the mapping table of the first forwarding label, and obtain the first forwarding label in the entry, and obtain the The first forwarding label corresponding to the request path.
  • the first API gateway may determine, according to the feature value, the first forwarding label corresponding to the first API request, and the specific processing procedure is as follows:
  • Step 1 Obtain a request path and a first parameter carried by the first API request.
  • the first parameter includes an API calling mode and/or a protocol version number.
  • the first API gateway may parse the first API request, and obtain a request path and a first parameter carried in the first API request, where the first parameter may include an API.
  • the calling method and/or protocol version number Take the HTTP protocol as an example.
  • the API calling method is the calling method in the HTTP protocol, such as get, post, put, delete, head, connect, options, trace, etc.;
  • the protocol version number is the protocol version number of HTTP, for example, http1 .0 version or http 1.1 version.
  • Step 2 Determine, according to the request path, the first parameter, and the preset feature value algorithm, the feature value corresponding to the first API request.
  • the eigenvalue algorithm may be pre-stored in the first API gateway, and the eigenvalue algorithm may be set by an administrator.
  • the eigenvalue algorithm may be a hash algorithm, or may be another eigenvalue algorithm. The invention is not limited.
  • the first API gateway may calculate the feature value according to the pre-stored feature value algorithm, the request path, and the first parameter. For example, the first API gateway may calculate a hash value according to a pre-stored hash algorithm, a request path, and a first parameter.
  • Step 3 Determine the first forwarding label according to the feature value and the mapping table of the first forwarding label.
  • the mapping table of the first forwarding label includes a correspondence between the feature value and the first forwarding label.
  • a mapping table of the first forwarding label is pre-stored in the first API gateway, and the mapping table of the first forwarding label may be set by an administrator.
  • the mapping table of the first forwarding label includes a correspondence between the feature value and the first forwarding label. As shown in Table 2, an example of a mapping table of the first forwarding label, where the feature value is 0xA26067F3, and the first target security domain identifier in the corresponding first forwarding label is A.
  • the first API gateway may query the entry of the first forwarding label in the mapping table of the first forwarding label, and obtain the first forwarding label in the entry, thereby obtaining the The first forwarding label corresponding to the feature value.
  • the first API gateway may determine, according to the feature value and the third parameter, the first forwarding label corresponding to the first API request, and the specific processing procedure is as follows:
  • Step 1 Obtain a request path, a second parameter, and a third parameter carried by the first API request.
  • the second parameter may include an API calling mode and/or a protocol version number
  • the third parameter may include a request header and/or request additional parameters, and the request header and the request additional parameter may be stored in a key-value storage manner.
  • the first API gateway may parse the first API request to obtain a request path, a second parameter, and a third parameter carried in the first API request. It should be noted that the second parameter in this mode may be the same as or different from the first parameter in the second mode.
  • Step 2 Determine, according to the request path, the second parameter, and the preset feature value algorithm, the feature value corresponding to the first API request.
  • the eigenvalue algorithm may be pre-stored in the first API gateway, and the eigenvalue algorithm may be set by an administrator, where the eigenvalue algorithm may select a hash algorithm or another eigenvalue algorithm, and the present invention does not Limited.
  • the feature value may be calculated according to the pre-stored feature value algorithm, the request path, and the second parameter.
  • the first API gateway may calculate a hash value according to a pre-stored hash algorithm, a request path, and a second parameter.
  • Step 3 Determine the first forwarding label according to the mapping table of the feature value, the third parameter, and the first forwarding label.
  • the mapping table of the first forwarding label includes three correspondences of the feature value, the third parameter, and the first forwarding label.
  • the mapping table of the first forwarding label is pre-stored in the first API gateway, and the mapping table of the first forwarding label may be set by the administrator according to the actual service.
  • the mapping table of the first forwarding label includes a mapping relationship between the feature value, the third parameter, and the first forwarding label. As shown in Table 3, it is an example of a mapping table of the first forwarding label, where the feature value is 0xA26067F3, the request header is qq.com, and the request additional parameter is 1, and the first target security in the corresponding first forwarding label is The domain ID is A.
  • the first eigenvalue and the third parameter may be queried in the mapping table of the first forwarding label to obtain the eigenvalue corresponding to the third parameter.
  • the first forwarding label may be queried in the mapping table of the first forwarding label to obtain the eigenvalue corresponding to the third parameter.
  • the first API gateway may further determine the first forwarding label corresponding to the first API request by using other methods.
  • the first API gateway may obtain the request path and the third parameter carried in the first API request, and then calculate the feature value according to the pre-stored feature value algorithm, the request path, and the third parameter, and then according to the feature value and the pre-stored
  • a mapping table of the forwarding label determines a first forwarding label corresponding to the first API request.
  • the mapping table of the first forwarding label includes a correspondence between the feature value and the first forwarding label.
  • the first API gateway may obtain the request path, the second and third parameters carried in the first API request, and then calculate the feature value according to the pre-stored feature value algorithm, the request path, the second parameter, and the third parameter, and further And determining, according to the feature value and the mapping table of the first forwarding label stored in advance, the first forwarding label corresponding to the first API request.
  • the mapping table of the first forwarding label includes a correspondence between the feature value and the first forwarding label.
  • Step 203 The first API gateway determines the address of the second API gateway according to the correspondence between the first target security domain identifier and the address of the second API gateway, and sends the first API request to the first API address according to the address of the second API gateway. Two API gateways.
  • the second API gateway sends a first hop API gateway of the first API request to the API gateway corresponding to the first target security domain identifier by the first API gateway.
  • the first API gateway may forward the first API request according to the first target security domain identifier in the first forwarding label. Since the number of security domain identifiers is far less than the number of request addresses, the number of queries of the correspondence table between the request address and the service address is reduced, thereby improving the efficiency of the API request.
  • the correspondence between the first target security domain identifier and the address of the second API gateway may be pre-stored in the first API gateway, and the correspondence may be set by an administrator.
  • the correspondence can be as shown in Table 4:
  • the first API gateway may query the address of the second API gateway corresponding to the first target security domain in the correspondence between the first target security domain identifier and the address of the second API gateway.
  • the address of the second API gateway may be an Internet Protocol (IP) address, or may be used to identify the address of the second API gateway, which is not limited by the present invention.
  • IP Internet Protocol
  • the first API gateway may forward the first API request to the second API gateway according to the address of the second API gateway.
  • the first API gateway may first delete the forwarding label in the second API request, and then forward the label to the server.
  • the specific processing is as follows:
  • step one the first API gateway receives the second API request.
  • the second API request carries a second forwarding label, where the second forwarding label includes a security domain identifier of the first API gateway and a first target service address.
  • the second API request when the first API gateway receives the second API request forwarded by the other API gateway, the second API request carries the second forwarding label added by the other API gateway.
  • the first API gateway may parse the second API request to obtain a second forwarding label carried in the second API request.
  • Step 2 The first API gateway deletes a second forwarding label in the second API request.
  • the first API gateway may pre-store the security domain identifier of the security domain to which the first API gateway belongs. After determining the second forwarding label corresponding to the second API request, the first API gateway may determine whether the security domain identifier of the first API gateway carried in the second forwarding label is the same as the local pre-stored security domain identifier. Then perform step three.
  • Step 3 The first API gateway sends the second API request after deleting the second forwarding label to the server corresponding to the first target service address.
  • the server corresponding to the second API request is located in the first The security domain of the API Gateway.
  • the server corresponding to the second API request is located in the security domain of the first API gateway, and may also be referred to as the server corresponding to the second API request belonging to the security domain to which the first API gateway belongs, or the server corresponding to the second API request is set in the first A security domain to which an API gateway belongs.
  • the first API gateway may determine a location corresponding to the second forwarding label in the second API request, and then delete the second forwarding label, and finally, forward the second API request after deleting the second forwarding label to the first target service address.
  • Corresponding server so that the server processes the second API request. In this way, redundant information in the API request can be reduced.
  • the first API gateway receives the third API request, if the server corresponding to the third API request is in the security domain of the first API gateway, the first API gateway directly forwards the third API request to the server.
  • the specific processing is as follows:
  • step one the first API gateway receives the third API request.
  • Step 2 The first API gateway acquires a third forwarding label corresponding to the third API request.
  • the third forwarding label includes a security domain identifier and a second target service address of the first API gateway.
  • the mapping table of the third forwarding label is pre-stored in the first API gateway, and the mapping table of the third forwarding label may be set by the administrator according to the actual service.
  • the first API gateway receives the third API request sent by the client, the third API request does not carry the third forwarding label, and the first API gateway may be configured according to the third API and the third stored in advance. Forwarding a mapping table of the label, and determining a third forwarding label corresponding to the third API request. For specific processing, refer to step 202, and details are not described herein again.
  • Step 3 The first API gateway sends the third API request to the server corresponding to the second target service address.
  • the security domain identifier of the security domain to which the first API gateway belongs may be pre-stored in the first API gateway. After determining the third forwarding label corresponding to the third API request, the first API gateway may determine whether the security domain identifier of the first API gateway carried in the third forwarding label is the same as the local pre-stored security domain identifier.
  • the server corresponding to the third API request is located in the security of the first API gateway. In the domain.
  • the first API gateway may forward the third API request to the server corresponding to the second target service address, so that the server processes the third API request.
  • the first API gateway receives the first API request sent by the client, since the first API label does not carry the first forwarding label, the first API gateway needs to be in the first API first. Adding the first forwarding label to the request, and then forwarding the first API request to the second API gateway, the specific process is as follows: adding the first forwarding label to the first API request, adding the first forwarding label The first API request is sent to the second API gateway corresponding to the first target security domain identifier.
  • the first API gateway may add the first forwarding label at a preset location in the first API request, and forward the first API request after adding the first forwarding label to the first target security domain identifier.
  • the second API gateway In this way, the second API gateway can perform corresponding processing according to the first forwarding label.
  • the network system further includes a management server connected to the API gateway in each security domain, and the administrator may pre-configure the forwarding label mapping table in the management server.
  • the API gateway in each security domain can obtain a forwarding label mapping table from the management server. In this way, the workload of the administrator to configure the forwarding label mapping table can be effectively reduced.
  • the mapping table of the first forwarding label may further include an update duration of each entry.
  • the update duration of the entry may be assigned, and the The timer corresponding to the entry, when the duration recorded by the timer reaches the update duration, the first API gateway can update the entry.
  • the update duration of the entry is 3000s.
  • the first API gateway can query the management server for the security domain identifier and service address corresponding to the request path according to the request path.
  • the timer is reset to 0; if not, the security stored in the first API gateway is updated.
  • the present invention also provides an example of transmitting an API request, as shown in FIG. 3, the example specifically includes the following steps:
  • step 301 the first API gateway receives the API request.
  • Step 302 The first API gateway determines whether the API request carries a forwarding label. If it is carried, step 304 to step 305 are performed. Otherwise, step 303 and step 305 are performed.
  • step 303 the first API gateway determines the forwarding label corresponding to the API request according to the mapping between the API request and the pre-stored forwarding label, and performs step 305.
  • Step 304 The first API gateway acquires a forwarding label carried in the API request.
  • Step 305 The first API gateway determines whether the target security domain identifier is the same as the security domain identifier of the first API gateway. If they are the same, step 306 is performed; otherwise, steps 307 to 308 are performed.
  • Step 306 The first API gateway deletes the forwarding label carried in the API request, and forwards the API request after deleting the forwarding label to the server corresponding to the target service address.
  • Step 307 The first API gateway determines, according to the correspondence between the pre-stored target security domain identifier and the address of the second API gateway, the address of the next second API gateway corresponding to the target security domain identifier.
  • Step 308 The first API gateway adds the forwarding label to the API request, and sends the API request after adding the forwarding label to the second API gateway corresponding to the target security domain identifier.
  • step 301 to the step 308 For the specific processing procedure of the step 301 to the step 308, reference may be made to the step 201 to the step 203, and the description is not repeated herein.
  • the first API gateway may forward the first API request according to the first target security domain identifier in the first forwarding label. Since the number of security domain identifiers is far less than the number of request addresses, the number of queries of the correspondence table between the request address and the service address is reduced, thereby improving the efficiency of the API request.
  • an embodiment of the present invention further provides an apparatus for transmitting an application programming interface API request, where the apparatus is applied to a first API gateway, as shown in FIG. 4, the apparatus includes:
  • the first receiving module 410 is configured to receive a first API request.
  • the first obtaining module 420 is configured to obtain a first forwarding label corresponding to the first API request, where the first forwarding label includes a first target security domain identifier, where the security domain identifier of the first API gateway is different from the first target security domain identifier. ;
  • the first sending module 430 is configured to determine an address of the second API gateway according to the correspondence between the first target security domain identifier and the address of the second API gateway, and send the first API request to the address of the second API gateway.
  • a second API gateway wherein the second API gateway sends a first hop API gateway of the first API request to the first API gateway corresponding to the first target security domain identifier.
  • the first obtaining module 420 specifically includes:
  • the first forwarding label is determined according to the mapping path of the request path and the first forwarding label.
  • the first obtaining module 420 specifically includes:
  • the first obtaining module 420 specifically includes:
  • the device further includes:
  • a second receiving module 440 configured to receive a second API request, where the second API request carries a second forwarding label, where the second forwarding label includes a security domain identifier of the first API gateway and a first target service address;
  • the deleting module 450 is configured to delete the second forwarding label in the second API request
  • the second sending module 460 is configured to send the second API request after deleting the second forwarding label to the server corresponding to the first target service address.
  • the device further includes:
  • the third receiving module 470 is configured to receive a third API request.
  • the second obtaining module 480 is configured to obtain a third forwarding label corresponding to the third API request, where the third forwarding label includes a security domain identifier of the first API gateway and a second target service address.
  • the third sending module 490 is configured to send the third API request to the server corresponding to the second target service address.
  • the first acquiring module 420 may determine, according to the mapping table of the first forwarding label, the first The API requests a corresponding first forwarding label, where the first forwarding label includes a first target security domain identifier. Then, the first sending module 430 determines the address of the second API gateway according to the correspondence between the first target security domain identifier and the address of the second API gateway, and sends the first API request to the second API gateway, and the subsequent second API gateway. The processing can be directly performed according to the first forwarding label, and the first forwarding label mapping table does not need to be queried again, thereby improving the efficiency of the API request.
  • an embodiment of the present invention further provides an application programming interface API gateway.
  • the API gateway includes a memory 710, a processor 720, and a communication interface 730, where:
  • the memory 710 is configured to store program instructions.
  • the processor 720 is configured to perform the following operations according to the program instructions stored in the memory 710:
  • first forwarding label corresponding to the first API request, where the first forwarding label includes a first target security domain identifier, where the security domain identifier of the first API gateway is different from the first target security domain identifier ;
  • the first API request is sent to the second API gateway; wherein the second API gateway sends the first API request to the first API gateway to the first target security domain identifier corresponding API gateway.
  • One hop API gateway One hop API gateway.
  • the performing, by the processor 720, the operation of acquiring the first forwarding label corresponding to the first API request includes:
  • the performing, by the processor 720, the operation of acquiring the first forwarding label corresponding to the first API request includes:
  • the processor 720 performs an operation of acquiring a first forwarding label corresponding to the first API request, including:
  • the processor 720 is further configured to perform the following operations according to the program instructions stored in the memory 710:
  • the processor 720 is further configured to perform the following operations according to the program instructions stored in the memory 710:
  • the third forwarding label includes a security domain identifier and a second target service address of the first API gateway;
  • the device for transmitting the application programming interface API request provided by FIG. 4, FIG. 5 and FIG. 6 may be implemented by the API gateway shown in FIG. 7, specifically, each of the devices in FIG. 5, FIG. 5 and FIG.
  • the modules may be implemented by a combination of the API gateway memory 710, the processor 720, and the interface 730 shown in FIG. 7, or may be implemented in part by the memory 710, the processor 720, and the interface 730, and other portions are implemented by dedicated hardware.
  • the apparatus for transmitting the application programming interface API request provided by FIG. 4, FIG. 5, and FIG. 6 may also be implemented by a dedicated hardware device.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil de transmission d'une demande d'interface de programmation d'application, se rapportant au domaine technique des ordinateurs. Le procédé comprend les étapes suivantes : une première passerelle API reçoit une première demande API ; la première passerelle API acquiert une première étiquette de transfert correspondant à la première demande API, la première étiquette de transfert contenant un premier identificateur de domaine de sécurité cible, un identificateur de domaine de sécurité de la première passerelle API étant différent du premier identificateur de domaine de sécurité cible ; et la première passerelle API détermine, selon une corrélation entre le premier identificateur de domaine de sécurité cible et l'adresse d'une deuxième passerelle API, l'adresse de la deuxième passerelle API, et envoie, selon l'adresse de la deuxième passerelle API, la première demande API à la deuxième passerelle API, la deuxième passerelle API étant une passerelle API de saut suivant de la première passerelle API pour envoyer la première demande API à une passerelle API correspondant au premier identificateur de domaine de sécurité cible. La présente invention permet d'améliorer l'efficacité d'une demande API.
PCT/CN2019/077392 2018-03-13 2019-03-08 Système et appareil de transmission de demande d'interface de programmation d'application (api) WO2019174523A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP19767599.4A EP3726786B1 (fr) 2018-03-13 2019-03-08 Système et appareil de transmission de demande d'interface de programmation d'application (api)
JP2020536559A JP7056893B2 (ja) 2018-03-13 2019-03-08 アプリケーションプログラミングインタフェースapi要求を伝送するための方法、装置、apiゲートウェイ、及びプログラム
US16/933,195 US11956210B2 (en) 2018-03-13 2020-07-20 Method and apparatus for transmitting application programming interface API request

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810203025.XA CN108494755B (zh) 2018-03-13 2018-03-13 一种传输应用程序编程接口api请求的方法及装置
CN201810203025.X 2018-03-13

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/933,195 Continuation US11956210B2 (en) 2018-03-13 2020-07-20 Method and apparatus for transmitting application programming interface API request

Publications (1)

Publication Number Publication Date
WO2019174523A1 true WO2019174523A1 (fr) 2019-09-19

Family

ID=63338555

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/077392 WO2019174523A1 (fr) 2018-03-13 2019-03-08 Système et appareil de transmission de demande d'interface de programmation d'application (api)

Country Status (5)

Country Link
US (1) US11956210B2 (fr)
EP (1) EP3726786B1 (fr)
JP (1) JP7056893B2 (fr)
CN (1) CN108494755B (fr)
WO (1) WO2019174523A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11265249B2 (en) * 2016-04-22 2022-03-01 Blue Armor Technologies, LLC Method for using authenticated requests to select network routes
CN110365751B (zh) * 2019-06-26 2020-10-27 口碑(上海)信息技术有限公司 网关系统的业务处理方法、装置及设备
CN110493067B (zh) * 2019-09-05 2022-02-18 中国银联股份有限公司 一种api网关服务更新的方法及装置
CN111818361A (zh) * 2020-09-15 2020-10-23 平安国际智慧城市科技股份有限公司 控制流媒体业务交互的方法、web客户端设备及系统
US11381564B2 (en) * 2020-10-09 2022-07-05 Sap Se Resource security integration platform
CN113806104A (zh) * 2021-08-02 2021-12-17 北京房江湖科技有限公司 接口访问请求处理方法、api网关、服务器及系统
CN115374023B (zh) * 2022-07-26 2023-06-16 中电金信软件有限公司 一种单元寻址方法、装置及电子设备
JP2024043815A (ja) * 2022-09-20 2024-04-02 京セラドキュメントソリューションズ株式会社 デバイス管理システム

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160092297A1 (en) * 2014-09-29 2016-03-31 Digital River, Inc. API Gateway System and Method
CN105827446A (zh) * 2016-03-31 2016-08-03 深圳市金溢科技股份有限公司 一种智能交通api网关及智能交通业务系统
CN106295330A (zh) * 2016-07-29 2017-01-04 努比亚技术有限公司 调用api的控制装置及方法
CN106533944A (zh) * 2016-12-29 2017-03-22 金蝶软件(中国)有限公司 一种分布式api网关、管理方法及管理系统

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000232476A (ja) 1999-02-09 2000-08-22 Nec Corp ゲートウェイ装置
CN101197795A (zh) * 2007-12-26 2008-06-11 华为技术有限公司 网络业务保护方法和业务网关
US8990557B2 (en) * 2011-02-17 2015-03-24 Ebay Inc. Identity assertion framework
US9635132B1 (en) * 2011-12-15 2017-04-25 Amazon Technologies, Inc. Service and APIs for remote volume-based block storage
US9253087B2 (en) * 2012-04-24 2016-02-02 Futurewei Technologies, Inc. Principal-identity-domain based naming scheme for information centric networks
CN103718527B (zh) * 2013-03-30 2017-01-18 华为技术有限公司 一种通信安全处理方法、装置及系统
CN103607403A (zh) * 2013-11-26 2014-02-26 北京星网锐捷网络技术有限公司 一种nat网络环境下使用安全域的方法、装置和系统
EP3100418A1 (fr) * 2014-01-31 2016-12-07 Interdigital Patent Holdings, Inc. Procédés, appareils et systèmes visant à permettre des fédérations de réseaux par appairage basé sur un routage avec hachage et/ou un routage abrégé
CN104320332A (zh) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 多协议工业通信安全网关及应用该网关的通信方法
CN106341399A (zh) * 2016-08-29 2017-01-18 锐捷网络股份有限公司 一种用户访问的控制方法及系统
US10484382B2 (en) 2016-08-31 2019-11-19 Oracle International Corporation Data management for a multi-tenant identity cloud service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160092297A1 (en) * 2014-09-29 2016-03-31 Digital River, Inc. API Gateway System and Method
CN105827446A (zh) * 2016-03-31 2016-08-03 深圳市金溢科技股份有限公司 一种智能交通api网关及智能交通业务系统
CN106295330A (zh) * 2016-07-29 2017-01-04 努比亚技术有限公司 调用api的控制装置及方法
CN106533944A (zh) * 2016-12-29 2017-03-22 金蝶软件(中国)有限公司 一种分布式api网关、管理方法及管理系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3726786A4

Also Published As

Publication number Publication date
EP3726786A4 (fr) 2021-01-13
US11956210B2 (en) 2024-04-09
EP3726786A1 (fr) 2020-10-21
US20200351243A1 (en) 2020-11-05
CN108494755B (zh) 2020-04-03
EP3726786B1 (fr) 2022-09-21
JP2021511702A (ja) 2021-05-06
CN108494755A (zh) 2018-09-04
JP7056893B2 (ja) 2022-04-19

Similar Documents

Publication Publication Date Title
WO2019174523A1 (fr) Système et appareil de transmission de demande d'interface de programmation d'application (api)
US11461402B2 (en) Routing based request correlation
US9800539B2 (en) Request routing management based on network components
US9160703B2 (en) Request routing management based on network components
TWI675572B (zh) 網路服務系統及網路服務方法
US10333951B1 (en) Method and system for implementing golden container storage
US8904524B1 (en) Detection of fast flux networks
WO2018121331A1 (fr) Procédé, appareil et serveur de détermination de demande malveillante
US11089473B2 (en) Service access, and control method and apparatus therefor
CN112261172B (zh) 服务寻址访问方法、装置、系统、设备及介质
US9571417B2 (en) Processing resource access request in network
JP2016533594A (ja) ウェブページのアクセス方法、ウェブページのアクセス装置、ルーター、プログラム及び記録媒体
US8949952B2 (en) Multi-stack subscriber sign on
TWI674780B (zh) 網路服務系統及網路服務方法
WO2021007752A1 (fr) Procédé de retour à la source et dispositif associé dans un réseau de diffusion de contenu
WO2018214853A1 (fr) Procédé, appareil, support et dispositif de réduction de longueur de message dns
WO2019085074A1 (fr) Appareil et procédé de balayage de vulnérabilité de site web, dispositif informatique et support d'informations
US20140337471A1 (en) Migration assist system and migration assist method
EP3217611A1 (fr) Procédé et dispositif de renvoi de ressource multimédia
US10715605B2 (en) System and method for limiting active sessions
WO2019196225A1 (fr) Procédé et appareil de rétroaction de fichier de ressource
WO2024160193A1 (fr) Procédé et appareil de planification de demande de réseau cdn, dispositif électronique et support de stockage
WO2024222010A1 (fr) Procédé et appareil pour la procuration d'une réponse à un message de demande d'adresse, dispositif électronique et support de stockage
US10904746B2 (en) Implementation method, apparatus and system for remote access
US20120110655A1 (en) Data transmission management server and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19767599

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020536559

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2019767599

Country of ref document: EP

Effective date: 20200713

NENP Non-entry into the national phase

Ref country code: DE